Date of Award

11-2016

Document Type

Thesis

Degree Name

Master of Science in Information Systems (MSIS)

Department

Information Security

First Advisor

Dr. Zouheir Trabelsi

Second Advisor

Dr. Ezedin S. Baraka

Third Advisor

Dr. Fatma Outay

Abstract

A firewall is a hardware or software device that performs inspection on a given incoming/outgoing packets and decide whether to allow/deny the packet from entering/leaving the system. Firewall filters the packets by using a set of rules called firewall policies. The policies define what type of packets should be allowed or discarded. These policies describe the field values that the packet header must contain in order to match a policy in the firewall. The decision for any given packet is made by finding the first matching firewall policy, if any.

In a traditional firewall, the packet filter goes through each policy in the list until a matching rule is found; the same process is again repeated for every packet that enters the firewall. The sequential lookup that the firewall uses to find the matching rule is time consuming and the total time it takes to perform the lookup increases as the policy in the list increases. Nowadays, a typical enterprise based firewall will have 1000+ firewall policy in it, which is normal.

A major threat to network firewalls is specially crafted malicious packets that target the bottom rules of the firewall’s entire set of filtering rules. This attack’s main objective is to overload the firewall by processing a flood of network traffic that is matched against almost all the filtering rules before it gets rejected by a bottom rule. As a consequence of this malicious flooding network traffic, the firewall performance will decrease and the processing time of network traffic may increase significantly

The current research work is based on the observation that an alternative method for

the firewall policies can provide a faster lookup and hence a better filtering performance. The method proposed in this research relies on a basic fact that the policy c a n be represented as a simple Boolean expression. Thus, Binary Decision Diagrams (BDDs) are used as a basis for the representation of access list in this study.

The contribution of this research work is a proposed method for representing firewall

Policies using BDDs to improve the performance of packet filtering. The proposed mechanism is called Static Shuffling Binary Decision Diagram (SS-BDD), and is based on restructuring of the Binary Decision Diagram (BDD) by using byte-wise data structure instead of using Field-wise data structure. Real world traffic is used during the simulation phase to prove the performance of packet filtering. The numerical results obtained by the simulation shows that the proposed technique improves the performance for packet filtering significantly on medium to long access lists. Furthermore, using BDDs for representing the firewall policies provides other

Useful characteristics that makes this a beneficial approach to in real world.

Share

COinS